Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!samsung!know!zaphod.mps.ohio-state.edu!sdd.hp.com!decwrl!hayes.fai.alaska.edu!accuvax.nwu.edu!nucsrl!telecom-request From: jimb@silvlis.com (Jim Budler) Newsgroups: comp.dcom.telecom Subject: Re: ATM at Retailers Message-ID: <12578@accuvax.nwu.edu> Date: 24 Sep 90 18:26:12 GMT Sender: news@accuvax.nwu.edu Reply-To: Jim Budler Organization: Silvar-Lisco,Inc. Sunnyvale Ca. Lines: 71 Approved: Telecom@eecs.nwu.edu X-Submissions-To: telecom@eecs.nwu.edu X-Administrivia-To: telecom-request@eecs.nwu.edu X-Telecom-Digest: Volume 10, Issue 677, Message 1 of 9 In article <12509@accuvax.nwu.edu> FREE0612@uiucvmd (David Lemson) writes: >In a message of 23 Sep 90 16:49:02 GMT, Steven King uunet.uu.net> writes: >>In article <12439@accuvax.nwu.edu> kaufman@Neon.Stanford.EDU (Marc T. >>Kaufman) writes: >>>You are not giving your PIN number to the merchant. The PIN is >>>encrypted (mixed with your bank card number) in a ONE WAY algorithm by >>>a chip that is in the PIN pad itself. The plaintext PIN never sees >>>the light of day. >>A one way algorithm? Pray, how does the bank decode it to verify you? >>A gigantic lookup table? > The bank doesn't need to "decode" it. The bank's computer knows >what your PIN is supposed to be. So, it codes it with the same >trap-door algorithm as the keypad did, and compares the two. FYI, >this is the same way that the Unix operating system encrypts passwords >with a one-way coding scheme, and stores them encoded. My guess is >that your bank's computer stores your PIN encoded, so it simply >compares the encoded incoming message with the encoded number stored >in the machine. I'm not even positive the bank always has your PIN in the first place. Last year I was one of the lucky people to receive a letter telling me that my Versateller card was being shut down, and that I would receive a new one in a few days. Concurrently my HomeBanking stopped also. This shutdown occurred because some people at one of the system providers broke their trust and obtained a significant block of records containing names, ATM numbers and PINs. By system providers I mean the companies like Plus System, or Star, who connect to the retail merchants and route request from the retail merchants to the bank ATM computer. The service providers are not necessarily banks, they are potentially just a wholesale transaction merchant. They do their thing for the $1 - $2 per transaction that they get paid for facilitating the transaction. So in the past some "merchant's employees", not a merchant, and actually not the retail merchant did exactly what was feared at the start of this thread. It took three seperate mailings to get my Versatel card back in action. 1. The notice of the action and its cause. 2. The new Versatel account number and card. 3. A form on which I selected a new PIN to replace my old one. My old PIN was time bombed so I was forced to select a new one. Now back to the encryption algorythm. There actually was a transposition pad on the form, so I encrypted my PIN, and sent the encrypted PIN, not the PIN itself back to the Bank. In addition, the PIN could now be variable length, and the length was not reflected in the encrypted PIN I sent back to the bank. So I'm not sure the bank ever has ny unencrypted PIN. Who knows, though? Only the bank, for sure. Jim Budler jimb@silvlis.com +1.408.991.6115 Silvar-Lisco, Inc. 703 E. Evelyn Ave. Sunnyvale, Ca. 94086